> i just want to tell you that the Auth Object is "z_plnt_auth" assigend to a role manually with field 'werks' = plant code and actvt = 03, and this object is defined in ABAP program with Authority-check statement.

Okay, nothing special or new there...

Where is the program used and what does it do. Please check which other roles the users of this role have. I sounds like a "delta role".

Needless to say, "werks" is used in combination with "actvt" by several objects, so it a bit of an excess considering that there are most likely standard objects for this.

I place my bets on it being used in a view (which would make some sense).

You need to provide more infos (from the system) and just asking on site is a good idea (as mentioned by Alex).

Cheers,

Julius

>

> You need to provide more infos (from the system) and just asking on site is a good idea (as mentioned by Alex).

>

> Cheers,

> Julius

I agree that asking onsite could give more insight into the Z-Object usage. I can explain the probable reason of having the Z-Object as a stand alone authorization

In a role inheritance scenario, when you have roles with 100+ transactions (role A, B,C, .......) which act as the master roles and the derived roles being A1,A2,A3...... depending on the number of inherited roles you have in the set-up, authorization objects like customer authorization group or vendor authorization group can be a tough task (as these are not called in the organization level values) - in this situation as the authorization groups would have to maintained individually in the inherited roles and can be a time consuming task with the additional risk of passing down the values of the master role every time it is generated and inherited - a better option could be to maintain a non-existent value in the master role , inherit it so the non-existent value is passed down to the inherited roles. To give access on the specific authorization groups , create a role with only the object F_KNA1_BED or F_BKPF_BED as might be the case and maintain organization specific values in these object and assign it to the users who need it

My guess would be that the Z-object the operator mentions is something that is developed to address such an issue

Julius/Alex/Jurjen/Bernard.....

i dont want to flare up a controversy here but i would appreciate your views on the scenario explained (Right/Wrong/Good/Bad).........I am not the owner of the Thread, but it would be interesting to have your views

Hi Shekar,

Personally I believe this approach can have it's uses if used carefully. Depending on your role design, it can improve flexibility and reduce role numbers without having a negative effect on security (which the value role concept can sometimes have).

Some examples where I have used it before include access to closed posting periods, release strategies, employee vendors.

Obviously there is also the position that the original poster has found - if not documented properly then it can be a pain to support, though for z* auth objects it's usually easier to pinpoint why it is being used.

Cheers

Alex

Hi Alex,

I should confess....this is a real Blinder........You made my day :-)............ I dont know why, but when i was writing the previous post i had this thought (somehow Alex would hate this )

I find the concept very helpful and as you rightly said if it is well documented and a systematic approach followed for the naming conventions it could be very useful.......in fact on the project i currently work on, i have a similar set-up and it has drasticaly reduced the amount of fiddling needed to be done to the inherited roles

>

I dont know why, but when i was writing the previous post i had this thought (somehow Alex would hate this )

ha ha, I save most of my hate for composite roles & value roles